Cheating on Your Security Audits

An audit isn't worth much if the people doing it are cutting corners. Unfortunately, a survey by the folks at Tufin Technologies suggests many IT pros may be doing exactly that.

The survey, which was conducted at the InfoSecurity Europe 2009 Conference in April, took opinions from 151 IT security pros. The aim was to determine companies' approach to firewall auditing and management.

What Tufin turned up was that 20 percent of the respondents admitted they or a colleague had cheated on an audit to get it passed. The company did not ask specifically how they cheated, citing time constraints. But if applied generally, it could be there are many networks operating a false sense of their own security posture.

Going deeper, 9 percent of the respondents admitted that they never bother to check and audit their firewalls at all. Sixty-three percent said they do it every three months to a year.

The problem here is obvious. If firewalls are on the frontline of defense for your network and you don't have a real sense of what policies are in place, managing network security effectively becomes difficult.

This is, of course, an area Tufin plays in. Like Secure Passage, AlgoSec and others, Tufin provides management capabilities for firewalls from vendors like Cisco and Juniper Networks. The idea is to eliminate redundancies and provide visibility into the rules governing the firewalls on your network.

Though the how and the why behind the 20 percent mentioned above is unknown, the time it takes to perform an audit may have something to do with it. According to the study, 22 percent of the audits take from a few weeks to a few months. Seventy percent, however, said their audits only take a few days.

Now it's the Internet, so you have the opportunity to be anonymous -- how many of you would cheat on an audit to get it done and out of the way?